Description
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
Published: 2026-06-04
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect permission checks in Octopus Server. As a result, any authenticated user can invoke a particular API endpoint to make server‑level changes, even though the system reports an error. This flaw enables unauthorized modification of configuration and settings that should be restricted to privileged users, potentially compromising the integrity of the deployment environment.

Affected Systems

The affected product is Octopus Deploy Octopus Server. Specific product versions are not provided, so all deployed instances of Octopus Server are potentially vulnerable until a patch that restores proper access control is applied. The issue is limited to the server component and does not affect the client or agent.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is purely authenticated, meaning the attacker must already have valid credentials. Once they obtain those credentials, they can manipulate the server using the susceptible API, leading to unintended configuration changes. The exploitation does not require remote code execution, but the impact on system integrity could be significant.

Generated by OpenCVE AI on June 4, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Octopus Server to a version that implements proper permission checks on the vulnerable API endpoint.
  • If an update is not immediately possible, restrict the API permissions of non‑admin users to read‑only roles or disable the endpoint until the fix is applied.
  • Monitor and audit API usage logs for unusual activity and enforce network segmentation so that only trusted components can reach the Server API.

Generated by OpenCVE AI on June 4, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Authenticated User Can Perform Server‑Level Changes via API in Octopus Server
Weaknesses CWE-285

Thu, 04 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Octopus

Published:

Updated: 2026-06-04T08:49:59.083Z

Reserved: 2026-03-26T07:19:05.417Z

Link: CVE-2026-4881

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T10:16:39.723

Modified: 2026-06-04T10:16:39.723

Link: CVE-2026-4881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T11:30:12Z

Weaknesses